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Abstract 


We describe a technique to reliably identify individ- 
ual integrated circuits (ICs), based on a prior delay 
characterization of the IC. 

We describe a circuit architecture for a key card 
for which authentication is delay based, rather than 
based on a digital secret key. We argue that delay- 
based authentication of the key card is secure be- 
cause it is hard to create an accurate timing model 
for the circuit used in the key card. We also argue 
that key cards built in this fashion are resistant to 
many known kinds of attacks. 

Since the delay of ICs can vary with environmental 
conditions such as temperature, we develop compen- 
sation schemes and show experimentally that reliable 
authentication can be performed in the presence of 
significant environmental variations. 


Introduction 


We describe a technique to identify and authenti- 
cate arbitrary integrated circuits (IC’s) based on a 
prior delay characterization of the IC. While IC’s can 
be reliably mass-manufactured to have identical digi- 
tal logic functionality, the premise of our approach is 
that each IC is unique in its delay characteristics due 
to inherent variations in manufacturing across differ- 
ent dies, wafers, and processes. While digital logic 
functionality relies on timing constraints being met, 
different ICs with the exact same digital functionality 
will have unique behaviors when these constraints are 


not met, because their delay characteristics are dif- 
ferent. 


Researchers have proposed the addition of specific 
circuits that produce unique responses due to manu- 
facturing variations in IC’s such that these IC’s can 
be identified (e.g., [LDT00]). However, with these 
techniques, the focus is simply on assigning a unique 
identifier to each chip, without having security in 
mind. In order to authenticate an IC, a key has to be 
placed within the IC, access to the key has to be re- 
stricted to cryptographic primitives, and the IC has 
to be made tamper resistant, so an adversary cannot 
determine the key without destroying it. In essence, 
digital information has to be hidden in the IC. 


Making an IC tamper-resistant to all forms of at- 
tacks is a challenging problem and is receiving some 
attention [And01]. Numerous attacks are described 
in the literature. These attacks may be invasive, e.g., 
removal of the package and layers of the IC, or non- 
invasive, e.g., differential power analysis [KJJ99] that 
attempts to determine the key by stimulating the IC 
and observing the power and ground rails. IBM’s PCI 
Cryptographic Coprocessor encapsulates a 486-class 
processing subsystem within a tamper-sensing and 
tamper-responding environment where one can run 
security-sensitive processes [SW99]. However, pro- 
viding high-grade tamper resistance, which makes it 
impossible for an attacker to access or modify the se- 
crets held inside a device, is expensive and difficult 
[AK96, AK98]. 


We propose that authentication be based on hid- 
den delay or timing information corresponding to a 


circuit rather than digital information. We will argue 
that the level of tamper resistance required to hide 
delay information is significantly less than for digital 
information. Invasive methods to determine device 
and wire delays will invariably change the delay of 
the devices or wires upon removal of the package or 
metal layers. Further, non-invasive attacks that are 
sometimes successful in discovering secret digital keys 
such as differential power analysis (DPA) [KJJ99] 
and electromagnetic analysis (EMA) [QS01] fail to 
provide precise enough delay information to break 
delay-based authentication. An important difference 
between hiding digital information versus timing in- 
formation is that in the former case the manufacturer 
can produce many ICs with the same hidden digital 
key, but it is very hard, if not impossible, for a man- 
ufacturer to produce two ICs that are identical in 
terms of their delay characteristics. 


To elaborate, our thesis is that there is enough 
manufacturing process variations across ICs with 
identical masks to uniquely characterize each IC, and 
this characterization can be performed with a large 
signal-to-noise ratio (SNR). The characterization of 
an IC involves the generation of a set of challenge- 
response pairs. To authenticate ICs we require the 
set of challenge-response pairs to be characteristic of 
each IC. For reliable authentication, we require that 
environmental variations and measurement errors do 
not produce so much noise that they hide inter-IC 
variations. We will show in this paper, using experi- 
ments and analysis, that we can perform reliable au- 
thentication. 


The rest of this paper will be structured as follows: 
An overview of our approach to identify and authen- 
ticate ICs based on delays is given in Section 2. We 
describe a secure key card application in Section 3. 
We describe the notion of a physical unknown func- 
tion, which is what we are trying to implement, in 
Section 1. We argue that a particular circuit can be 
viewed as a physical unknown function and is resis- 
tant to various types of attacks in Section 4. In Sec- 
tion 6 we describe experiments we have conducted 
using commodity FPGAs that indicate that there is 
enough statistical variation for authentication to be 
viable, and that authentication can be carried out ina 


reliable manner using compensated measurements.! 


1 Definitions 


Definition 1 A Physical Unknown Function (PUF) 
is a function that maps challenges to responses, that 
is embodied by a physical device, and that verifies the 
following properties: 


1. Easy to evaluate: The physical device is eas- 
ily capable of evaluating the function in a short 
amount of time. 


2. Hard to predict: From a polynomial number 
of plausible physical measurements (in particu- 
lar, determination of chosen challenge-response 
pairs), an attacker who no longer has the device, 
and who can only use a polynomial amount of 
resources (time, matter, etc...) can only extract 
a negligible amount of information about the re- 
sponse to a randomly chosen challenge. 


In the above definition, the terms short and poly- 
nomial are relative the size of the device, which is 
the security parameter. In particular, short means 
linear or low degree polynomial. The term plausible 
is relative to the current state of the art in measure- 
ment techniques and is likely to change as improved 
methods are devised. 

In previous literature [Rav01] PUFs were referred 
to as Physical One Way Functions, and realized us- 
ing 3-dimensional micro-structures and coherent ra- 
diation. We believe this terminology to be confusing 
because PUFs do not match the standard meaning of 
one way functions [MvOV96]. 


Definition 2 A type of PUF is said to be Manufac- 
turer Resistant if it is technically impossible to pro- 
duce two identical PUF's of this type given only a poly- 
nomial amount of resources. 


Manufacturer resistant PUFs are the most inter- 
esting form of PUF as they can be used to make un- 
clonable systems. 


1A preliminary set of experiments for a simpler circuit are 
presented in [GCvDD02b]. 


We will describe how we can create silicon PUFs 
using delay characterization in the next section. We 
will argue in subsequent sections that it is hard to 
completely characterize the timing/delay of silicon 
PUFs. 


2 Delay-Based Authentication 


Our approach and the reasoning behind it is summa- 
rized in the next three subsections. 


2.1 Statistical Delay Variation 


When a circuit is replicated across dies or across 
wafers, manufacturing variations cause appreciable 
differences in circuit delays. Across a die, device 
delays vary due to mask variations — this is some- 
times called the system component of delay varia- 
tion. There are also random variations in dies across 
a wafer, and from wafer to wafer due to, for instance, 
process temperature and pressure variations, during 
the various manufacturing steps. The magnitude of 
delay variation due to this random component can 
be 5% or more for metal wires, and is higher for de- 
vices. Delay variations of the same wire or device in 
different dies have been modeled using Gaussian dis- 
tributions and other probabilistic distributions (e.g., 
[BNO], [Ber98]). 

We briefly note here that in our experiments, the 
standard deviation of path delays in our example cir- 
cuits across different FPGAs was in the range of 400 
ppm. 


2.2. Environmental Effects 


On-chip measurement of delays can be carried out 
with very high accuracy, and therefore the signal-to- 
noise ratio when delays of corresponding wires across 
two or more ICs are compared is quite high, provided 
environmental variation is low. To keep the signal-to- 
noise ratio high under significant environmental vari- 
ations, we require compensated delay measurement 
(cf. Section 6). Using compensated delay measure- 
ment, under significant temperature and power sup- 


ply variation?, we can keep the standard deviation 
of compensated delays to within 25 ppm, which is 
significantly smaller than the standard deviation of 
inter-chip variation. 

Circuit aging can also change delays, but its effects 
are significantly smaller than temperature and power 
supply effects. 


2.3. Generating Challenge-Response 
Pairs 


As we mentioned in the introduction, manufactur- 
ing variations have been exploited to identify indi- 
vidual ICs. However, the identification circuits used 
thus far generate a static digital response (which is 
different for each IC). We propose the generation of 
many challenge-response pairs for each IC, where the 
challenge can be a digital (or possibly analog) input 
stimulus, and the response depends on the transient 
behavior of the IC, and can be a precise delay mea- 
sure, a delay ratio, or a digital response based on 
measured delay or ratios. 

The transient behavior of the IC depends on the 
network of logic devices as well as the delays of the de- 
vices and interconnecting wires. Assuming the IC is 
combinational logic, an input pair (v1, v2) produces 
a transient response at the outputs. Each input pair 
stimulates a potentially different set of paths in the 
IC. If we think of each input pair as being a chal- 
lenge, the transient response of the IC will typically 
be different for each challenge. 

The number of potential challenges grows with the 
size and number of inputs to the IC. Therefore, while 
two ICs may have a high probability of having the 
same response to a particular challenge, if we apply 
many challenges, then we can distinguish between the 
two ICs. More precisely, if the standard deviation of 
the measurement error is 6, and the standard devi- 
ation of inter-FPGA variation is a, then for Gaus- 
sian distributions, the number of bits that can be ex- 
tracted for one challenge is up to (though this limit 


Temperature and power supply voltage have a significant 
affect on the absolute values of circuit delays [WE85]. 


is difficult to reach in practice): 
1 
sloge(1 + 0/8) 


By using multiple independent challenges, we can ex- 
tract a huge number of identification bits from an IC. 
Actually producing a large number of bits is difficult 
to do in practice with multiple challenges because the 
responses to challenges are not independent. How- 
ever, it is much easier to extract the information from 
the measurements if we are willing to get less than 
the maximum number of bits, and in the case where 
d<<a. 

Upon every successful authentication of a given IC, 
a set of challenge-response pairs is potentially re- 
vealed to an adversary. This means that the same 
challenge-response pair cannot be used again. If 
the adversary can learn the entire set of challenge- 
response pairs, he can create a model of a counter- 
feit IC. To implement this method, a database of 
challenge-response pairs has to be maintained by the 
entity that wishes to identify the IC. This database 
need only cover a small subset of all the possible 
challenge-response pairs. However, it has to be kept 
secret as the security of the system only relies on 
the attacker not being able to predict which chal- 
lenges will be made. If the database ever runs out 
of challenge-response pairs, it can be necessary to 
“recharge” it, by turning in the IC to the authority 
that performs the authentication. 


3 Key Card Application 


One of the principal applications for physical un- 
known functions (PUFs) is to provide tamper- 
resistant, unique, unforgeable identifiers for key 
cards. We will argue in Section 4 that silicon PUFs 
are difficult to forge and, as a result, these key cards 
are difficult to clone. Examples of practical usages 
include using a card-PUF in digital mobile phones 
and set-top boxes to identify the phones and boxes 
to service providers and networks. The cards can also 
be combined with biometrics to help identify users. 
With these identifiers, the cards can be used for au- 
thenticated identification, in which someone or some- 
thing with physical access to the card can use it to 


gain access to a protected resource. The general 
model is that of a principal with the key card pre- 
senting it to a terminal at a locked door. The ter- 
minal can connect via a private, authentic channel 
to a remote, trusted server. The server has already 
established a private list of Challenge-Response Pairs 
(CRPs) with the card. When the principal presents 
the card to the terminal, the terminal contacts the 
server using the secure channel, and the server replies 
with the challenge of a randomly chosen CRP in its 
list. The terminal forwards the challenge to the card, 
which determines the response. The response is sent 
to the terminal and forwarded to the server via the 
secure channel. The server checks that the response 
matches what it expected, and, if it does, sends an 
acknowledgment to the terminal. The terminal then 
unlocks the door, allowing the user to access the pro- 
tected resource. The server should only use each chal- 
lenge once, to prevent replay attacks; thus, the user 
is required to securely renew the list of CRPs on the 
server periodically. 

As we have implemented them in this paper, card- 
PUFs can be used for authenticated identification, as 
described above. However, control can be added to 
the cards, enabling an entire suite of protocols for 
using the cards for authenticating messages, certi- 
fied execution and software licensing. This work is 
detailed in [@CvDD02a]. The control is added to 
thwart man-in-the-middle attacks and provides re- 
strictions on when and to whom responses are given 
by the card. 


4 Attacks 


There are many possible attacks on silicon PUFs — 
we describe some of them in this section. 


4.1 Duplication 


To break the authentication methodology, the adver- 
sary can fabricate a “counterfeit” IC containing the 
PUF that produces exactly the same responses as the 
original IC/PUF for all challenges. Given the statis- 
tical variation inherent in any manufacturing process, 
we argue that the probability of this happening for a 


newly fabricated IC is very low, implying that the ad- 
versary will have to fabricate a huge number of ICs, 
and make comprehensive measurements on each one, 
in order to create and discover a counterfeit. This is 
a very expensive proposition, both economically and 
computationally speaking. That is why we claim that 
sillicon PUFs are manufacturer resistant (see section 
1). 


4.2 Timing-Accurate Model 


Alternately, the adversary can attempt to create a 
timing-accurate model of the original PUF and sim- 
ulate the model to respond to challenges, in effect 
creating a “virtual counterfeit.” The accuracy of this 
model has to be comparable to the accuracy of re- 
liable (on-chip) circuit delay measurement in order 
to produce a successful virtual counterfeit. Here, 
the adversary has three options, direct measurement, 
exhaustive enumeration of challenges, and model- 
building using observed responses based on a subset, 
i.e., a polynomial number of challenges. 


4.2.1 Direct Measurement 


The adversary can attempt to directly measure device 
delays of the circuit by probing or monitoring internal 
devices. In order to do this at the level of accuracy 
required to break authentication, he will have to re- 
move the package and insert probes. Non-invasive at- 
tacks such as DPA [KJJ99] and EMA [QS01] extract 
information about collections of devices, not individ- 
ual devices. If the delays of the devices are made to 
depend on the package, to an extent coarser than the 
resolution of delay measurement, this attack will fail. 
This is because delay characterization to obtain the 
challenge-response pairs is performed after the IC has 
been fabricated and packaged, and the removal of the 
package (and perhaps metal or field oxide layers) will 
change the device delays appreciably. 


4.2.2 Exhaustive Model 


Clearly, a model can be built by exhaustively enumer- 
ating all possible challenges, but this is intractable, 


since there are an exponential number of possible 
challenges. 


4.2.3. Model Building Using Challenge Sub- 
set 


The adversary can use a publicly available mask de- 
scription of the IC/PUF and apply challenges and 
monitor responses and attempt to build a timing- 
accurate model. 

We first note that creating accurate timing models 
given mask information is an intensive area of re- 
search. Even the most detailed circuit models have 
a resolution that is significantly coarser than the res- 
olution of reliable delay measurement. If an adver- 
sary is able to find a general method to determine 
polynomial-sized timing models that are accurate to 
within measurement errors, this would represent a 
breakthrough. However, the adversary has a slightly 
different problem — he needs to build a highly accu- 
rate model of a particular IC, to which he has access, 
and to which he can apply challenges and monitor 
responses. 

The transient response of an IC is a non-linear and 
non-monotonic function of the delays of wires and de- 
vices in the IC. The adversary has to guess a general 
enough parameterizable model (e.g., delay of a device 
is dependent on load capacitance and transitions of 
neighboring devices), and obtain enough responses to 
well-chosen challenges such that he obtains a system 
of equations that can be inverted to obtain the pa- 
rameters of his model. 

We will discuss the barriers confronting the adver- 
sary in Section 5 for our chosen candidate PUF. 


5 A Candidate PUF and Anal- 
ysis of Model Building 


The circuit for which we will measure delays that 
is implemented in our key card is depicted in Fig- 
ure 1. A challenge of n = 128 bits is transformed by 
a one-way function into a bit pattern b = (b1,...,0n). 
The bits b; control switches. If 6; = 1, the switch is 
crossed (Figure 2); if b; = 0, the switch is uncrossed 
(Figure 3). The input of the circuit is a wave with 
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Figure 1: circuit illustrating how paths are selected 
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Figure 2: switch with b; = 1 


a single transition from 0 to 1. Initially, it is copied 
and the two waves are passed through the switches 
until they arrive at the AND gate. Depending on 
the delays from switch to switch one of the two wave 
fronts arrives first at the AND gate. The AND gate 
filters this wave front, only the second wave front is 
forwarded. The wave fronts follow complementary 
paths, the wave front following the path with the 
maximum delay is the output of the circuit. The 
total delay of a path is a sum of link delays and is de- 
termined in a linear way by the bits b;. The response 
of the loop is in one to one correspondence with the 
maximum value of the two path delays. 


d gio 


d 4i43 


Figure 3: switch with b; = 0 


The path maximizing the delay is called the maz- 
imizing path of b. The maximizing delay can be 
derived from the response and is denoted by m(b). 
Let d,,...,d4a, be the different link delays of the 
circuit. We represent the two paths by sets P,(b) 
and P2(b) such that their corresponding delays are 
the sums )/jep,(p) i and DU iep,(p) di respectively. 
So either equation m(b) = )7j<p,(p) di or equation 
m(b) = Viep,(p) di holds. To the advantage of the 
adversary we assume no measurement noise and we 
assume that all link delays are constant and do not 
depend on the environment. 

An adversary may input challenges of his choice 
and measure the corresponding responses. To argue 
his difficulty of building a model containing precise 
values for all the link delays d; we show that 


1. he has difficulty computing a linear set of equa- 
tions solving all the link delays, and that 


2. his resulting problem resembles the problem of 
sparsification of matrices for which the best 
known algorithm is exponential. 


A challenge leads to 2 linear equations of which 
one is correct. Hence, two different challenges lead 
to 4 sets of 2 linear equations each, etc. In general 
k challenges lead to 2* sets of k linear equations of 
which one set is the correct one. As each set of linear 
equations has 4n unknown delays, the adversary can 
use 4n challenges to do an exhaustive search among 
the 24” sets of linear equations to determine the cor- 
rect set with which he can solve the link delays d; and 


build a model. The 24” sets represent an exponen- 
tial amount of work for the adversary using poly(n) 
challenges. 

Without the one way function an adversary can 
choose the bit pattern b without any restrictions 
and obtain the value m(b). Let two patterns b 
and b differ in two neighboring positions, for ex- 
ample b = (b1,. aan ,b;,0,0, bj+3,.. ., bn) and b = 
(b1,...,0i,1,1,bi43,.-.,bn). Then, the maximizing 
paths of b and b are most likely the same paths, 
only deviating in the (i+1)'" and (i+ 2)!" switch; in 
other words, if the top path of b is the maximizing 
path of b, say, then the top path of bis very likely to 
be the maximizing path of b. With this information, 
the adversary can halve the number of possible sets 
of equations, limiting his search space. 

We can avoid this problem by putting a one way 
function. However, accidentally two challenges may 
differ in a small number of coordinates after apply- 
ing the one way function. It can be shown that this 
probability is exponentially small in n.3 

Fabrication process variations may lead to an 
asymmetric circuit in which one link delay is much 
larger than all the others. If this link delay is present 
in a path then this path will be the maximizing path 
and a linear equation is obtained. Such circuits can 
be easily modeled by an adversary. Our premise is 
that such large fabrication process variations occur 
with negligible probability. Further, if necessary, we 
can simply check to see if this is the case for each 
fabricated circuit and discard circuits with large vari- 
ations because they can potentially be modeled. 

The theoretical problem which the adversary needs 
to solve is a smart exhaustive search among all the 
possible sets of linear equations. Let us reformu- 
late this problem. We represent the paths P;(b) by 
columns of 1’s and 0’s. The i” coordinate is equal 
to 1 if and only if 7 is an element of the set P;(b). In 
this way we build a matrix with 4n rows, correspond- 
ing to the 4 delays for each switch, and 2c columns 
corresponding to 2 equations for each of c challenges. 
We add one extra row with the values m(b). Let A 
be the resulting matrix. Figure 4 illustrates matrix 


3 An error correcting code can be used to guarantee a large 
Hamming distance between patterns b. 


A: b?" is the coordinate in the i” position of the 
column corresponding to P;(b). 

Let T be a vector which left multiplies matrix A 

and which consists of variables representing the 4n 
link delays and an additional entry —1. If T consisted 
of the actual link delays, then, if it is left multiplied 
with A, it creates a vector in which there is a zero in 
at least one of every two elements. 
(di, dg, dg,...,dan, —1) - A = (*,0,0, *,0,*,...,*, 0) 
illustrates the Gaussian elimination for obtaining 
zero entries in the last row of A. Thus, the goal of 
the adversary is to determine an instance of T which 
sparsifies the last row of A, that is, generates as many 
zero entries in the last row of A. The probability 
that this vector is not unique is exponentially small 
in (c—n). 

To sparsify matrix A an adversary may make use 
of side information about 


1. the location of the zero entries*, and 


2. the constraints given by the max operation’. 


The circuit design leads to some structure in the ma- 
trices A as well. However, since the patterns b are 
selected by means of a random process (due to the 
one way function) the matrices A have in this sense 
a random structure. 

In general, without the side information, the best 
known algorithm for sparsifying any matrix has 
a complexity exponential in the number of rows 
[EM98]. Taking the side information about the loca- 
tion of the zero entries into account, the complexity 
of the best known algorithm is still exponential in 
the number of rows. The adversary may be able to 
use the constraints, but there is no obvious way to 
significantly reduce the complexity by exploiting the 
constraints. 


4Each pattern b gives rise to a zero entry in the last row of 
one of its corresponding columns. 
5Both inequalities m(b) > ee (b) d; and m(b) > 


ie Ps(by 4% hold. 
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Figure 4: Matrix A 


6 Experiments 


In order to prove that identification is possible using 
delay variations between Integrated Circuits, we have 
implemented a PUF on Xilinx Spartan 2 FPGAs.® In 
these tests, identical circuits were placed on different 
FPGAs, and the resulting PUF's were compared. Our 
goal in this section is to show that the identification 
is possible given the measurement noise levels and 
manufacturing variations that we have observed. 


6.1 Circuit Details 


Because we do not have full control over the circuits 
that are implemented in an FPGA, a few compro- 
mises have to be made relative to the theoretical de- 
sign. 

First, the unpredictability of the circuit described 
in section 5 relies on having a circuit with a high level 
of symmetry between paths. The general purpose 
routing infrastructure of an FPGA makes it difficult 
to produce precisely matched paths. Therefore the 
FPGA circuits that we worked with do not have the 
degree of symmetry that would be required for a PUF 
to be secure. However, since the asymmetry is the 
same across all components, it does not make any 
change to the difficulty in identifying components, 
which is what we will be discussing in this section. 

The second limitation of FPGAs, is that the lack 
of analog components makes it impractical to directly 
measure the delay of a path through the circuit with 


6The exact components that were used were the 


XC2S8200PQ208-5. 


the precision that we require. To get around this 
problem, we use self-oscillating loops containing the 
path for which we want to measure the delay. Using 
digital circuitry, we can precisely measure the fre- 
quency of the self oscillating loops over a few tens of 
thousands of periods. 

Note, however, that the use of self oscillating loops 
to measure delays is not ideal, and should not be used 
for a production design. First it drastically increases 
the time (and power) that is required to evaluate the 
PUF. Worse, it makes the frequency that is being 
measured, which is the response of the PUF to a chal- 
lenge, vulnerable to differential power analysis. This 
is not very problematic for a key card application, 
but can be fatal in the case of Controlled PUFs (see 
GCvDD02a]). 


Figure 5 shows how a self oscillating loop is built 
around the delay circuit. Since this self-oscillating 
loop has to be used both for rising and falling tran- 
sitions, the and gate that combines the two paths of 
the delay circuit of Figure 1 has been replaced by 
a more complicated circuit that switches when the 
slowest transition, be it rising or falling, reaches it. 
The circuit is essentially a flip-flop that changes state 
when both outputs from the delay circuit are at the 
same level. 


The dotted box indicates a delicate part of the cir- 
cuit that cannot be implemented exactly as shown 
without running the risk of producing glitching in the 
output. In the FPGA it is implemented by a lookup 
table. In an implementation with simple logic, it 
should be implemented in normal disjunctive form. 
The representation that was made here was simply 


Delay Circuit 


Figure 5: A self-oscillating circuit is built around the 
delay circuit. Measuring the frequency of the self- 
oscillating loop is equivalent to measuring the delay 
of a path through the delay circuit. 


chosen for ease of understanding. 


6.2 Robustness Environmental 


Variation 


to 


So far, all our discussion has considered that path de- 
lays in a circuit are constant for a given component. 
In reality, this is far from the case. Environmen- 
tal perturbations can account for variations that are 
large enough to mask out the small manufacturing 
variations that we are trying to measure. Therefore, 
they must be taken into account. 


6.2.1 Temperature and Voltage Compensa- 
tion 


Parameters such as temperature or supply voltage 
can cause variations in delay that are orders of magni- 
tude greater than the manufacturing variations that 
we are trying to observe. For a 30 degree Celsius 
change in temperature, the delays vary on the order 
of 5%. This is to be compared with inter-chip varia- 
tions that are well below 1% on this size of circuit. 
Fortunately, we have found that environmental 


variations operate roughly proportionally on all the 
delays in our circuit, and therefore, they can be com- 
pensated for by always working with delay ratios in- 
stead of absolute delays. Therefore, we place two 
different self-oscillating loops on the FPGA. We run 
both self-oscillating loops to get two frequencies, and 
take a ratio of the two frequencies as the PUF’s re- 
sponse. 

Once compensation has been applied, the variation 
with temperature is of the same order of magnitude 
as the measurement error. 

Up to now, we have assumed that temperature is 
uniform across the integrated circuit. If that is not 
the case then temperature compensation is likely not 
to work well. With the circuit presented here, the 
paths are heated in a uniform way by the transitions 
that are running through them. With other circuits 
in which transitions only reach some parts of the cir- 
cuit, we have observed non uniform heating which can 
cause unreliable measurement results. Therefore, we 
recommend the use of circuits that get heated in a 
uniform way during use. 


6.2.2 Interference With Other Sub-Systems 


Another kind of environmental interference that has 
to be considered is the interaction between a self- 
oscillating loop, and other circuitry on the integrated 
circuit. 

Experiments in which we measure the frequency 
of a loop oscillating alone, or at the same time as 
other loops show that the interference is very small. 
This has been demonstrated in [@CvDD02b] where 
the interference was provided by seven self-oscillating 
loops, and once again in our latest experiments where 
the frequencies of the two loops that are being mea- 
sured can be measured simultaneously or succes- 
sively. In each case, the interference caused by the 
other self-oscillating loops is of the same order of 
magnitude as measurement error. 

There is however one case in which interference is 
non negligible. It is the case when the interference 
is at almost the same frequency as the self-oscillating 
loop. In that case, the loop’s frequency tends to lock 
on the perturbating frequency. Because of this, it 
is recommended not to simultaneously measure the 
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Figure 6: Distribution of responses to randomly se- 
lected challenges. Each response is the ratio of the 
frequencies of two simultaneously-running loops. As 
can be seen, when the loop frequencies are too close, 
the loops lock and the response is unity. 


two frequencies that will get combined into a com- 
pensated measurement. Figure 6 shows the result of 
locking on compensated measurements: values near 
unity have been forced towards unity by the locking 
phenomenon. 


6.2.3 Aging 


Through prolonged use, the delays of an integrated 
circuit are known to shift. We have not yet studied 
the effect that aging might have on a PUF. In par- 
ticular, if the changes due to aging are big enough, 
we might not be able to recognize a PUF after it has 
undergone much use. Studying these aging effects is 
an important aspect that must be covered by future 
work. 


6.3. Identification Abilities 


To test our ability to distinguish between FPGAs, we 
generated a number of profiles for different FPGAs 
in different conditions. A profile is made up of 128 
challenge-response pairs. All the profiles were estab- 
lished using the same challenges. 

Two profiles can be compared in the following way: 
For each challenge look at the difference between the 
responses. You can then look at the distribution 
of these differences. If most of them are near zero, 
then the profiles are close. If they are far from zero 
then the profiles are distant. During our experiments, 
the distribution of differences was typically Gaussian, 
which allows us to characterize the difference between 
two profiles by a standard deviation. 

Figure 7 shows the differences between the profile 
for an FPGA called Abe on Blaise’s test board at 
room temperature, and a number of other profiles (a 
is the standard deviation): 


e Another profile of Abe on Blaise’s test board at 
room temperature (o + 1- 107°). (This reflects 
power supply variations with time at a reader.) 


e A profile of Abe on Tara’s test board at room 


temperature (o ~ 2.5- 107°). (This reflects 
power supply variations across card readers.) 


10 


L0°0 L00°0 1000°0 G0-98} 90-98} 


-------- JaWOY snisjao le O¢-eqy YM paredwiod cay 
as nenee Jayoy snisjeq’sed.6ep OZ say Ulm peredwioo eqy : 
renee Jayjoy snisjaO sdeibap-0 | -aqy Ulm pesediuoo eqy.” 60 
——---- Spreog |seY]UaJEJIP UO egy U}IM paledwos sqy” 


“A J 


------- SUOIpU 3. SIRS. “Egy | UM peseduoo aqy----- 


a a bey yp ng 


oe 1 1 Puiu i yy 4 L 1 L 


other FPGAs. The vertical axis indicates the probability that for a given challenge, the difference in response 
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Figure 7: Comparing the FPGA called Abe at room temperature with itself in various conditions, or with 
will be lower than the difference in response that is indicated on the horizontal axis. 


e Profiles of Abe on Blaise’s test board at 10, 20 
and 30 degrees Celsius above room temperature 
(o = 5-10-° to. 1.5-10-*). 


e Profiles of FPGAs Hal and Walt on Blaise’s test 
board at room temperature (¢ © 4-107“). 


Clearly, it is possible to tell FPGAs apart. Though 
our ability to tell them apart depends on how much 
environmental variation we need to be robust to. 
Even with 30 degree Celsius variations, each chal- 
lenge is capable of providing 0.7 bits of information 
about the identity of the FPGA. This goes up to 1.5 
bits if only 10 degree Celsius variations are allowed. 

If we want to distinguish between 1 billion differ- 
ent components we need a sufficient number of bits 
to identify 1018 ~ 2°° components (this is because 
of the birthday phenomenon). Getting those 60 bits 
of information requires from 40 to 90 challenges de- 
pending on the temperature variations that we are 
willing to tolerate. 

The numbers that are given here are very depen- 
dent on the PUF circuit that is considered. In the cir- 
cuit that we studied in [GCvDD02b] we had a signal 
to noise ratio that was much better than we observed 
in the current circuit. We believe that by paying 
more attention to how our circuit is laid out, we will 
be able to build PUFs for which more bits can be 
extracted from each challenge. 


7 Conclusion 


We have presented a technique for delay-based cir- 
cuit authentication and conducted preliminary exper- 
iments that show that it is viable. More experiments 
are necessary to guage the reliability of authentica- 
tion under environmental variations, including circuit 
aging. 

We argued that delay-based authentication is not 
susceptible to conventional attacks that attempt to 
discover a secret, hidden key. One plausible attack 
is model building. The particular circuit we experi- 
mented with is a simple, symmetric circuit, for which 
it appears that model building is quite hard, though 
not provably hard. 
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While a number of problems need to be solved in 
order to use delay-based authentication in applica- 
tions such as smart card authentication and software 
licensing, we believe that this is a promising direction 
for future research. 
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